Security Orchestration, Automation, and Response for Security Analysts

Book description

Become a security automation expert and build solutions that save time while making your organization more secure

Key Features

  • What’s inside
  • An exploration of the SOAR platform’s full features to streamline your security operations
  • Lots of automation techniques to improve your investigative ability
  • Actionable advice on how to leverage the capabilities of SOAR technologies such as incident management and automation to improve security posture

Book Description

What your journey will look like

With the help of this expert-led book, you’ll become well versed with SOAR, acquire new skills, and make your organization's security posture more robust.

You’ll start with a refresher on the importance of understanding cyber security, diving into why traditional tools are no longer helpful and how SOAR can help.

Next, you’ll learn how SOAR works and what its benefits are, including optimized threat intelligence, incident response, and utilizing threat hunting in investigations.

You’ll also get to grips with advanced automated scenarios and explore useful tools such as Microsoft Sentinel, Splunk SOAR, and Google Chronicle SOAR.

The final portion of this book will guide you through best practices and case studies that you can implement in real-world scenarios.

By the end of this book, you will be able to successfully automate security tasks, overcome challenges, and stay ahead of threats.

What you will learn

  • Reap the general benefits of using the SOAR platform
  • Transform manual investigations into automated scenarios
  • Learn how to manage known false positives and low-severity incidents for faster resolution
  • Explore tips and tricks using various Microsoft Sentinel playbook actions
  • Get an overview of tools such as Palo Alto XSOAR, Microsoft Sentinel, and Splunk SOAR

Who this book is for

You'll get the most out of this book if You're a junior SOC engineer, junior SOC analyst, a DevSecOps professional, or anyone working in the security ecosystem who wants to upskill toward automating security tasks You often feel overwhelmed with security events and incidents You have general knowledge of SIEM and SOAR, which is a prerequisite You’re a beginner, in which case this book will give you a head start You’ve been working in the field for a while, in which case you’ll add new tools to your arsenal

Table of contents

  1. Security Orchestration, Automation, and Response 
for Security Analysts
  2. Foreword
  3. Contributors
  4. About the author
  5. About the reviewers
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Download the color images
    6. Conventions used
    7. Get in touch
    8. Share your thoughts
    9. Download a free PDF copy of this book
  7. Part 1: Intro to SOAR and Its Elements
  8. Chapter 1: The Current State of Cybersecurity and the Role of SOAR
    1. Traditional versus modern security
    2. The current state of cybersecurity
    3. What is SOAR?
    4. Summary
  9. Chapter 2: A Deep Dive into Incident Management and Investigation
    1. What are SOC tiers?
    2. Understanding incident management
      1. Why do we need incident management in SOAR?
      2. Exploring incident management features
    3. Investigating NIST and SANS incident management frameworks
      1. Preparation
      2. Detection and analysis/identification
      3. Containment, eradication, and recovery
      4. Post-incident activity/lessons learned
    4. Incident tasks – to do or not to do
    5. Investigation starting point – incident investigation page
    6. The incident investigation process
      1. Execute incident prioritization
      2. Conduct incident triage
      3. Dig deeper for better context
      4. Don’t reinvent the wheel
    7. Understanding threat hunting
    8. Summary
  10. Chapter 3: A Deep Dive into Automation and Reporting
    1. An in-depth view of automation
      1. What should be automated?
      2. Automation versus the SOC analyst
      3. Utilizing the SOC analyst or user input for automation
      4. Pros and cons of automation
    2. An in-depth view of reporting
      1. What is reporting and why is it crucial?
      2. Are reports the new incident management?
      3. What is the proper way to utilize reporting?
    3. TI and TVM – how important are they?
    4. Summary
  11. Part 2: SOAR Tools and Automation Hands-On Examples
  12. Chapter 4: Quick Dig into SOAR Tools
    1. Microsoft Sentinel SOAR
      1. Incident management
      2. Investigation
      3. Automation
      4. Reporting
      5. TI and TVM
    2. Splunk SOAR (Phantom)
      1. Incident management and investigation
      2. Automation
      3. Reporting
      4. TI and TVM
      5. The administration pane
    3. Google Chronicle SOAR (Siemplify)
      1. Incident management
      2. Investigation
      3. Automation
      4. Reporting
      5. TI and TVM
      6. Administration pane
    4. Summary
  13. Chapter 5: Introducing Microsoft Sentinel Automation
    1. The purpose of Microsoft Sentinel automation
    2. All about automation rules
      1. Navigating the automation rule GUI
      2. Permissions
      3. Triggers
      4. Conditions
      5. Actions
      6. Rule expiration and order
    3. All about playbooks
      1. Navigating the playbooks GUI
      2. Permissions
      3. Logic Apps connectors and authentication
      4. Triggers
      5. Actions
      6. Dynamic content
    4. Monitoring automation rules and playbook health
    5. Summary
  14. Chapter 6: Enriching Incidents Using Automation
    1. Why should you use automation for incident enrichment?
    2. Creating your own Microsoft Sentinel trail
    3. VirusTotal playbook – IP enrichment
      1. Creating a playbook
      2. Testing a playbook
    4. VirusTotal playbook – URL enrichment
      1. Creating a playbook
      2. Testing a playbook
    5. Summary
  15. Chapter 7: Managing Incidents with Automation
    1. Automated false-positive incident closure with a watchlist
      1. Creating a playbook
      2. Testing a playbook
    2. Closing an incident based on SOC analyst input
      1. Creating a playbook
      2. Testing a playbook
    3. Auto-closing incidents using automation rules
      1. Creating an automation rule
      2. Testing an automation rule
    4. Summary
  16. Chapter 8: Responding to Incidents Using Automation
    1. Automating responses to incidents
    2. Blocking a user upon suspicious sign-in
      1. Creating a playbook
      2. Testing a playbook
    3. Isolating a machine upon new malware detection
      1. Creating a playbook
      2. Testing a playbook
    4. Summary
  17. Chapter 9: Mastering Microsoft Sentinel Automation: Tips and Tricks
    1. Best practices for working with dynamic content and expressions
    2. Understanding the HTTP action and its usage
      1. Elements of the HTTP action
      2. Utilizing the HTTP action
      3. Applying API permissions to a managed identity
    3. Exploring more playbook actions
      1. Switch
      2. Select and Create HTML table
      3. Compose
      4. Parse JSON
    4. Summary
  18. Index
    1. Why subscribe?
  19. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share your thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Security Orchestration, Automation, and Response for Security Analysts
  • Author(s): Benjamin Kovacevic, Nicholas Dicola
  • Release date: July 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781803242910